Elite hacker APT29
Crazy mistake: How Russian hackers spied on Microsoft’s executive floor using MS Office
Midnight Blizzard, also known as APT29, is assigned to the Russian secret service (symbolic image)
© FangXiaNuo/Getty Images
For months, hackers were able to read the emails of Microsoft’s top employees. This was possible because of a dramatic mistake when creating a test account. The hackers are no strangers – and are connected to the Russian secret service.
It’s a nightmare for every company: Hackers gain access to internal messages and can read even the most secret communications from management for months. The shock for Microsoft was even greater when it was discovered in mid-January that this was exactly what had happened. There was a mistake in setting up the attack for the attack Software has been used.
The company reported this in a blopost on Friday. Accordingly, the investigation into the hack has not yet been fully completed, but two important details are already clear: The hack was initiated by a notorious hacker group that is assigned to the Russian foreign secret service SWR. And he succeeded because of a pretty dramatic mistake.
Dramatic mistake
According to the report, the attackers gained access using a technique called “password spraying”. You simply try out passwords that are particularly popular – until one works. At Microsoft, the attackers managed to get into an old test account that is actually no longer used. And which turned out to be a real gold mine for the hackers.
As Microsoft itself describes, the hackers were suddenly able to gain full access to the company’s internal email accounts using this simple test account. That shouldn’t actually be possible, as security expert Kevin Beaumont explained at Mastodon over the weekend. “What the post doesn’t say: In order to read all mail accounts (as happened here), you have to be a tenant administrator,” he explains. Because, according to Microsoft, the attackers did not use any security gaps, this only leads to one conclusion: the test account was already able to do this on its own.
However, this means a very dramatic mistake on the part of the software giant. Any test account has been given rights that give you access to the entire network. “Without security, multi-factor authentication, firewalls, monitoring or anything similar,” the expert says in shock. Nevertheless, he explicitly praises Microsoft for its openness about the hack.
Security
The main thing is k0mPliz1ert: We all fall for these password myths
Old acquaintance
It is not surprising that the attackers quickly recognized the potential of this gift. When it was first published, Microsoft made it clear that none other than Midnight Blizzard was behind the attack. The group, also known as APT29, Cozy Bear and Nobelium, is directly linked to the Russian secret service SWR and is considered one of the most sophisticated hacker groups in the world. Successful attacks on the Pentagon, as well as the hack of the Democratic Party that had consequences for the outcome of the 2016 US election, are attributed to her.
The fact that Microsoft is so sure about attributing the hack is based on its own experience with Midnight Blizzard, the company writes. The group is known for being particularly meticulous in camouflaging its campaigns. The attacks usually come via additional hijacked accounts that are taken over in the preparatory work for actually trustworthy targets. In this way, the requests come from known addresses and appear legitimate. And do not trigger any automatic checks. The group did the same in 2020, when it used a hack of the infrastructure provider Solarwinds to attack countless other companies (Here you can find out more about the procedure – and what Donald Trump had to do with it).
Not only Microsoft affected
Microsoft has not yet revealed exactly what data the hackers were able to access in the two months leading up to their discovery. However, the group assures that no customer data was stolen during the Russian espionage operation within the group, be it private or numerous corporate customers.
But that doesn’t mean that all Microsoft customers can feel safe: parallel to their own attack, several attacks on customers were discovered and they would now be informed, the company writes. Specifically named is the business service provider Hewlett Packard Enterprises (HPE), which spun off from computer manufacturer HP. Although this attack had already happened in May, it was only discovered in December.